all repos — nixfiles @ 6f752c78607cf2043e0bd2ce4219510bc7965276

System and user configuration, managed by nix and home-manager

use srvos for better defaults on linde/marvin

Alan Pearce
commit

6f752c78607cf2043e0bd2ce4219510bc7965276

parent

bbc69d9fbfead8f20c48d76dec98cce143ad9602

1 file changed, 29 insertions(+), 43 deletions(-)

changed files
M system/linde.nixsystem/linde.nix
@@ -6,14 +6,14 @@ { config, lib, pkgs, ... }:
with lib; let - netif = "enp1s0"; + netif = "eth0"; hostname = "linde"; net-ip4 = "116.203.248.56"; - net-mask4 = "32"; + net-mask4 = 32; net-gw = "172.31.1.1"; net-ip6 = "2a01:4f8:c012:23a4::1"; net-redisip = "2a01:4f8:c012:23a4::6379"; - net-mask6 = "64"; + net-mask6 = 64; net-gw6 = "fe80::1"; domain = "alanpearce.eu"; ts-domain = "hydra-pinecone.ts.net";
@@ -56,9 +56,6 @@ file = ../secrets/golink.age;
}; }; - # Use the systemd-boot EFI boot loader. - boot.loader.systemd-boot.enable = true; - boot.loader.efi.canTouchEfiVariables = true; boot.loader.efi.efiSysMountPoint = "/boot/efi"; time.timeZone = "Europe/Berlin";
@@ -85,8 +82,6 @@ services.openssh = {
enable = true; settings = { PermitRootLogin = "without-password"; - PasswordAuthentication = false; - KbdInteractiveAuthentication = false; }; }; services.sshguard = {
@@ -134,6 +129,7 @@ package = pkgs.nix-serve-ng;
secretKeyFile = config.age.secrets.binarycache.path; }; + programs.vim.defaultEditor = false; programs.neovim = { enable = true; defaultEditor = true;
@@ -144,7 +140,6 @@
networking = { hostName = hostname; inherit domain; - useDHCP = false; dhcpcd.enable = false; nameservers = [ "2606:4700:4700::1111"
@@ -157,6 +152,30 @@ ${net-ip4} = [ "${hostname}.${domain}" hostname ];
${net-ip6} = [ "${hostname}.${domain}" hostname ]; ${net-redisip} = [ "redis" ]; }; + defaultGateway = { + address = net-gw; + interface = netif; + }; + defaultGateway6 = { + address = net-gw6; + interface = netif; + }; + interfaces.${netif} = { + ipv4 = { + addresses = [ + { address = net-ip4; prefixLength = net-mask4; } + ]; + routes = [ + { address = net-gw; prefixLength = 32; } + ]; + }; + ipv6 = { + addresses = [ + { address = net-ip6; prefixLength = net-mask6; } + { address = net-redisip; prefixLength = net-mask6; } + ]; + }; + }; firewall = { enable = true; allowPing = true;
@@ -188,44 +207,12 @@ enable = false;
useLocalResolver = false; }; }; + services.cloud-init.network.enable = false; services.resolved = { enable = true; llmnr = "false"; dnssec = "true"; }; - systemd.network = { - enable = true; - networks.${netif} = - { - name = netif; - routes = [ - { - Gateway = net-gw6; - PreferredSource = net-ip6; - QuickAck = true; - InitialCongestionWindow = 30; - InitialAdvertisedReceiveWindow = 30; - } - { - Gateway = net-gw; - QuickAck = true; - InitialCongestionWindow = 30; - InitialAdvertisedReceiveWindow = 30; - } - ]; - address = [ - "${net-ip6}/${net-mask6}" - "${net-redisip}/${net-mask6}" - ]; - addresses = [{ - Address = "${net-ip4}/${net-mask4}"; - Peer = "${net-gw}/32"; - }]; - }; - wait-online = { - extraArgs = [ "--interface=${netif}" ]; - }; - }; services.tailscale = { enable = true;
@@ -283,7 +270,6 @@
"net.ipv4.tcp_slow_start_after_idle" = false; }; - security.sudo.execWheelOnly = true; security.sudo.extraConfig = '' Defaults:root,%wheel env_keep+=EDITOR '';